phishing-simulation-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (CRITICAL): The skill requests the 'Bash' tool. There is no legitimate reason for a phishing simulation manager to require raw shell access to the host. This allows an agent to execute arbitrary commands, potentially leading to full system compromise.
- [DATA_EXFILTRATION] (HIGH): The skill's stated purpose is to track 'credentialsSubmitted' and user interactions. With 'WebFetch' and 'Write' enabled, an agent can exfiltrate real corporate credentials or sensitive system files (discovered via 'Glob' and 'Read') to external attacker-controlled servers.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. \n
- Ingestion points: External templates via 'customTemplate' file paths and data from third-party integrations (KnowBe4, GoPhish, Microsoft Defender). \n
- Boundary markers: None. The skill does not define delimiters or instructions to ignore embedded commands in templates. \n
- Capability inventory: 'Bash' (execution), 'Write' (persistence/modification), 'WebFetch' (network). \n
- Sanitization: No sanitization or validation of template content is described, allowing an attacker to embed instructions in a 'customTemplate' that trigger the 'Bash' tool.
- [CREDENTIALS_UNSAFE] (HIGH): The 'landingPageAction' includes 'credential-capture'. This provides a ready-to-use infrastructure for harvesting actual user credentials under the guise of a simulation.
- [REMOTE_CODE_EXECUTION] (HIGH): The 'WebFetch' tool allows for the download of remote scripts, which can then be directly executed using the 'Bash' tool, bypassing standard security controls.
Recommendations
- AI detected serious security threats
Audit Metadata